Boundary - Forcing Re-authentication when Switching Between Organizations

Boundary
1

Setup:

  • OIDC Auth Method (Keycloak).

  • A single user has roles in multiple Boundary organizations (e.g., Org A and Org B).

Observed Behavior:

  • A single login correctly provides a unified view of resources from both Org A and Org B.

  • Settings like prompt=login or max_age=0 on the Auth Methods only apply to the initial authentication, not when navigating between resources of different orgs within the client session.

Core Question:

  • Is there a built-in mechanism in Boundary to force a user to re-authenticate when they switch context from one organization to another within a single, active session?

  • Or, is the intended design that a user session is always a union of all their grants, making separate user identities (e.g., user_orgA, user_orgB) the only method to enforce strict session-per-org isolation?

2

- SOLVED -

The primary issue was resolved by removing the built-in authenticated principal from all custom roles. The authenticated group was granting broad, default permissions to all logged-in users, which bypassed our specific OIDC group filter. After this change, only the custom Managed Group (created under the OIDC Auth Method) should be assigned as a principal to the role.

Final User Experience and Verification:

This configuration ensures complete separation between organizations. The observed behavior is now correct:

  1. A user selects a specific organization (e.g., Organization A) from the drop-down menu in the Boundary Client’s login window.

  2. After a successful login, the user can see all permitted resources within Organization A.

  3. If the user then uses the in-app scope drop-down menu to switch their view to a different organization (e.g., Organization B), they can enter the scope, but absolutely nothing is shown (no targets, hosts, etc.). This is true even if the user’s underlying identity in Keycloak has been granted roles for Organization B.

  4. Resources are only visible within the organization that was selected during the initial login. This confirms that the user’s session is strictly scoped to that single organization.

Workflow for Simultaneous Access to Multiple Organizations:

It is possible for a user to have simultaneous, yet completely isolated, sessions for different organizations.

  1. Open the Boundary Desktop Client and log in to the first organization (e.g., Organization A).

  2. Open a new, separate instance of the Boundary Desktop Client application.

  3. This new window will present the login screen. From the drop-down menu, select and log in to the second organization (e.g., Organization B).

  4. The result is two separate Boundary windows running at the same time, each with its own completely isolated session—one for Organization A and one for Organization B. This allows the user to work with servers from both organizations simultaneously while maintaining strict session separation.